INFORMATION WARFARE - DEFENSE

APPENDIX E

THINK PIECES

The following discussions were a part of the Task Force deliberations and
judged worthy of inclusion in the Task Force Report for reference only.

E.1 INFORMATION INFRASTRUCTURE ASSURANCE PRINCIPLES

Information assurance is a term which can be used to describe the needed
IW-D capabilities (and associated protection) of an information infrastructure.
Some basic definitions are needed to understand the principles:

Availability of Service - An assured level of service, capacity, quality,
timeliness, and reliability.

In the traditional systems engineering context, availability is a function
of the reliability and maintainability of the system while integrity of data
is a function of the quality (or grade of service) of the system transporting
the data. In addition, these measures of system performance are traditionally
based on design assumptions that disruptions are random in nature (e.g.,
component failures, human errors, and acts of nature).

Information assurance is not just a function of the reliability, maintainability,
and quality of the network or infrastructure. Information assurance addresses
the capability of an infrastructure to endure a variety of disruptions ranging
from natural disasters to accidents to intentional disruptions by the enemies
or by insiders. For example:

A lightning strike on a critical node in the network can cause node failure;
or, an earthquake or hurricane cannot only physically disrupt the network
but can also cause network congestion, another source of disruption.

Inadvertently erasing a data base containing terrain data critically needed
for a cruise missile strike can compromise a key part of an offensive strike.

Corruption of key network management data by a network manager can cause
many networks to fail.

An enemy agent located in a safe haven can introduce viruses that can cause
a network to become overloaded and ineffective or cause the entire network
to break down at a critical juncture.

This perspective on disruptions poses challenges for the intelligence,
operations, and training communities in defining the threat, which is essential
for a reasonable articulation of information assurance principles.

There are substantial differences between designing a typical information
system and designing a resilient information infrastructure capable of enduring
in the face of intentional disruptions. A typical information system design
assumes that all of the system components will normally operate properly,
with the common failure mode being failure of individual components. A resilient
information infrastructure design must be based on the assumption that only
some of the components will operate properly at any point in time. A typical
information system design will incorporate central control mechanisms,
synchronized clocks, and other techniques to use resources efficiently. A
resilient information infrastructure design must be based on some
decentralization of control and independent operation of portions of the
infrastructure. Information system design is typically based on efficiency
while a resilient information infrastructure design must be based on
effectiveness. For example, the entire field of fault tolerant computing
is based on the introduction of redundancy into otherwise efficient systems
in order to make them more effective, particularly against random disruptions.
Similarly, the design of a resilient infrastructure will assure diversity
of hardware and software so that a common failure mode will not result in
an infrastructure failure.

In the context of information assurance, network operation, management, and
maintenance should be viewed from a war fighting perspective. Personnel
performing these functions (and users in some cases), should be able to detect,
differentiate among, warn of, respond to, and recover from disruptions. Recovery
from disruptions resulting from failures or attacks might involve repair,
reconstitution, or the employment of reserve assets. In some cases, network
managers may have to isolate portions of the network to preclude the spread
of disruption. Given the speed with which disruptions can propagate through
networks, these capabilities may need to be available in automated form within
the network itself. Finally, there must be some means to manage and control
these capabilities.

The underlying philosophy in information assurance and in satisfying the
IW-D need must be that of risk management and not of risk avoidance. There
are not enough resources to armor plate the infrastructure. Risk management
suggests that the threat be defined, that measures be undertaken to reduce
the realization of the threat, that countermeasures to threat occurrence
be based on realistic application of resources and that response to and recovery
from threat occurrences be part of the infrastructure. Finally, it will be
necessary to assume some degree of risk while maintaining some minimum
infrastructure operating capability.

Based on a review of existing documentation, a list of information assurance
principles has been developed and is presented below. Because the infrastructure
and the concept of information assurance are still under development, the
list is not exhaustive.

The following operational information is required from CJCS and the
Commanders-in-Chief (CINCs) of the Unified and Specified (U&S) Commands
to quantify some of the principles:

Information Transfer Priorities - Priorities for the transfer of voice, data,
imagery, and video information based on a process developed by the JCS and
based on the existing process used to establish priorities for voice and
messages.

Minimum Operating Capability - The minimum set of fixed and deployed capabilities
required for each stress level, based on operations tempo and forces supported.

Normal Operating Capability - A specified set of fixed and deployed capabilities
required for peacetime and crisis/mobilization stress levels, based on operations
tempo and forces supported. (In coordination with CJCS and the CINCs, DISA
will, in its role as the central manager of the DII, specify this set.)

Expected Disruptions - The expected level of disruptions to be sustained
over time at each stress level. (This is normally based on intelligence estimates
of enemy capabilities, insider threats, natural disasters, and other anticipated
causes.)

Minimum Assured Resiliency - The capability to sustain a specified number
of simultaneous, worst-case disruptions at each stress level while still
maintaining the Minimum Operating Capability.

Desired Resiliency - The capability to sustain Expected Disruptions while
maintaining a Normal Operating Capability. (In coordination with CJCS and
the CINCs, DISA will, in its role as the central manager of the DII, specify
this set.)

Information Assurance Principles:

The infrastructure shall be considered a potential battlefield.

The infrastructure shall provide Minimum Resiliency.

The infrastructure shall detect substantial disruption, differentiate accidental
disruption from intentional disruption, provide ample warning of disruption,
respond to and recover from disruption, and be repairable at a rate sufficient
to sustain Minimum Operating Capability under Expected Disruptions.

The infrastructure shall detect large classes of event sequences that are
likely or anticipated to lead to disruption and provide mechanisms so that
disruptions from these events are:

-Prevented when possible within cost constraints

-Limited in the extent of their effect when prevention is not feasible

-Responded to prior to actual disruption when detected in time

-Traced to their source whenever possible within cost constraints.

The infrastructure network and system control functions shall be designed
to operate without dependence on the normal operation of the network or processes
being controlled.

The infrastructure responses to disruption shall be prioritized and shall
take into account factors such as time, value, criticality, and locality
as related to the information being transported.

Changes to the infrastructure shall be analyzed and simulated prior to
implementation to ensure that the infrastructure maintains assurance attributes
during and after these changes.

The infrastructure operations, management, and maintenance personnel and
information assurance capabilities shall be regularly tested under realistic
conditions to ensure that they perform and operate properly. Prior to testing,
proposed tests must be simulated to assess expected behavior and ensure that
the tests do not unduly degrade the infrastructure. After testing, expected
and actual behavior must be reconciled and addressed.

The infrastructure shall be designed to be flexible with respect to information
assurance attributes so that as requirements, technologies, and processes
are altered over time, the infrastructure will retain the Desired Resiliency
specified by DISA.

The infrastructure shall be capable of retaining the Desired Resiliency during
infrastructure expansion, contraction, modification, and connection to combined
forces infrastructures.

New infrastructure components shall be designed such that:

-If they are disrupted, they do not react so as to disrupt neighboring components

-Disrupted neighboring components do not disrupt the new component regardless
of the neighboring component's behavior

-Disrupted components are quarantined until they return to normal operating
behavior

-Network and system management services are notified of disruptions and
quarantines.

Techniques for limiting the spread of disruptions (e.g., firewalls) shall
be used where applicable, particularly in the design of network protocols
and in gateways between networks.

The infrastructure training and readiness programs shall be designed to ensure
that personnel tasked with operating, managing, and maintaining the
infrastructure are prepared for operations under stress, and that ample personnel
and resources are available to operate and sustain the infrastructure at
the Minimum Operating Capability during Expected Disruptions.

Sufficient inventory of and/or manufacturing capability for parts, equipment,
tools, supplies, and support systems shall be maintained to enable operation,
repair, and reconstitution of the infrastructure under all stress levels.

The infrastructure users shall be licensed to operate on the information
highway. Licensing procedures shall include knowledge of the network, rules
of the road, information assurance, and incident response processes and
capabilities.

The goal in postulating these information assurance principles is to eventually
outline a set of specifications (on the order of A-Level specifications)
that will shape the design and integration of the infrastructure or that
can be used as a part of the specifications for the acquisition of services
from the local and long-distance carriers and from information processing
vendors. In order to bridge the gap between the information assurance principles
and a set of specifications, it will be necessary to develop strategies for
providing the attributes. Some elements that might be considered in developing
those strategies include:

Capacity

Diversity

Co-location of network components at hardened subscriber sites

Provision of uninterruptable power to selected sites

Selected redundancy in network components

Use of diverse transmission media

Redundant network access links for key subscribers

Precedence (priority) mechanisms

Congestion control mechanisms

Transportable reserve assets for reconstitution of damaged portions of the
network

Infrastructure restoration and reconstitution

Multiple inter-network gateways

Personal reliability program for network managers

End-to-end network control (that does not depend on the network to operate)

Scalable infrastructure components

Repairability.

Successful implementation of information assurance will require a
multi-disciplinary team capable of formulating a comprehensive set of
requirements, knowledgeable of current and emerging technologies, capable
of overseeing the design of the infrastructure from an information assurance
perspective, and capable of managing the implementation of information assurance
in the infrastructure.

E.2 "Raise the Bar" Exercise

The goal is to maximally improve DoD's information assurance as quickly as
possible but "do it on the cheap" without involving unnecessarily complex
technology, and without awaiting the outcome of R&D efforts now underway
or that could be imagined.

It can be played two ways:

1. Assume that a given pot of money is available, take as a goal maximizing
the protection of DoD information assets and internal systems soonest (i.e.,
little or no R&D), and decide how and on what to spend it.

2. As above in item [1] except first compile a reasonable list of actions
to be taken, and then estimate the cost to do them.

Below are some options from which to select, but not a comprehensive or complete
list by any means. The sequence in the list is happenstance.

1. Provide users of the most sensitive systems commercially available tokens
of some sort to improve the user identification/ authentication act of logging
on; e.g., SecurID cards.

2. The same as item [1] except do it for all users in an operational entity;
e.g., the command-control chain, tactical logistics, forward air bases.

3. Increase the level of effort in the USAF program (briefed to us) by a
factor of 3 to get it done sooner. Alternately, pick a different factor of
speedup.

4. Examine the other military services to ascertain whether corresponding
programs would be effective for them, or whether variations on the USAF approach
would be more sensible.

5. Implement [4] with a projected time-to-complete of X years.

6. Industrial organizations who have had serious intrusions into their systems
and who appreciate the importance of protecting against them have mounted
massive internal programs to make every employee aware of the issue, of
individual responsibility, and of the actions being taken by the organization.
Notable among such examples is Citibank.

Mount an intensive all-hands awareness program of information assurance in
some/all/each of the military services. Alternately, confine the program
to those organizational entities that are "closest" to the information assets
and in best position to take appropriate steps if informed.

7. Survey all installed info-systems in the military structure that are based
on COTS software and/or hardware. Compile a corresponding list of the known
security flaws and fixes for each of them, and institute an aggressive effort
to make sure that all such fixes are properly installed, tested, and made
operational in (say) 18 months, and that the relevant operational staffs
are also well informed and trained.

8. Make the recently published NIST Handbook of computer security required
reading for all personnel associated with the operations, maintenance,
installation, design, procurement and upgrade of both hardware and software
in key [or: all] information systems [Alternate: do this initially for all
information systems based on COTS; but later, add the embedded systems as
well].

Make this handbook also required reading for every training or educational
course given to military personnel.

9. Survey all acquisitions of information systems and computer-containing
weapon systems now underway and take such steps as necessary to guarantee
that up-front design consideration has been given to information assurance,
netsec, infosec and opsec.

10. Compile an inventory of all weapon systems that contain embedded computers
and for each, define and characterize the line of responsibility, organization(s)
and physical locations which support the deployed system. Hence, identify
vulnerabilities and weak spots that might be exploited by an opponent; create
plans to remedy these risks on a quick response basis.

11. Survey all deployed weapon systems that are computer-based with especial
attention to all phases of maintenance and upgrades of software and hardware
and to daily operations. The object is to identify places and means by which
subversive actions could be taken to degrade or perturb weapon performance.
The level of effort might be such that candidates for this examination will
need to be ranked in order of importance and operational vulnerability.

12. As in item [11] but do for all support systems, whether CONUS or field
deployed, that are not COTS-based but use specialized software and/or hardware.

13. As in [12] but for COTS-based systems.

14. Reconsider any/all of the prior suggestions from the point of view of
likely geographic, cultural and infrastructure circumstances in which U.S.
military forces might have to operate in the next (say) decade; e.g., SWA,
Adriatic theater, mid-East, Korea. Object: to judge whether a different
prioritization of effort would be suggested or warranted.

15. Begin an assessment of the civilian-infrastructure aspect of the issue;
e.g., identify the military bases essential for an OCONUS deployment and
do so for several different durations of engagement (e.g., weeks, months,
years). Identify for each the present arrangements for provision of electrical
power, of other energy sources, of communications -- especially telephone
and PSN-based, and of off-base medical, personnel, or commissary requirements.

16. As in [14], but for long-term overseas bases; e.g., Europe,
Japan/Korea/Okinawa.

17. Any/all of the above for the intelligence systems (sensors, ground stations,
antenna farms. electronic establishments) rather than for the operational
forces and the support structure.